08-20-2008 8:22 PM
We are concerned about a vulnerability of of using SAPXPG to issues OS commands to shutdown or otherwise tamper with the availability of the SAP system. Please advise of how to close this vulnerability.
08-20-2008 9:52 PM
Hi,
SAPXPG is really only ment to be used internally. As the ABAP system is platform independent it makes use of external RFC servers started by SAP Gateway to perform platform dependent tasks. One example is executing operating system commands using transaction SM49. There is no SAP standard scenario that would remotely require the SAP Gateway to start any of these external RFC servers. You can therefore restrict access as documented in [Security Settings in SAP Gateway|http://help.sap.com/saphelp_nw70/helpdata/EN/1c/468e2f161b4f96b5401f02d30943b1/frameset.htm] to local access only. Remote access is only required for remote registration of RFC servers.
Example configurations:
secinfo (control access to RFC servers started by SAP Gateway):
# allow only local calls from ABAP to RFC servers on the local application server itself:
USER=*, USER-HOST=local, HOST=local, TP=*;
reginfo (control access to and from RFC servers registered by SAP Gateway):
# allow remote registration of RFC servers (TREX, IGS, etc.)
# check logged on clients in transaction SMGW to get a specific list of registered RFC servers on your system
TP=*
Please also have a look at the documentation above.
Best regards,
Christian
08-20-2008 9:52 PM
Hi,
SAPXPG is really only ment to be used internally. As the ABAP system is platform independent it makes use of external RFC servers started by SAP Gateway to perform platform dependent tasks. One example is executing operating system commands using transaction SM49. There is no SAP standard scenario that would remotely require the SAP Gateway to start any of these external RFC servers. You can therefore restrict access as documented in [Security Settings in SAP Gateway|http://help.sap.com/saphelp_nw70/helpdata/EN/1c/468e2f161b4f96b5401f02d30943b1/frameset.htm] to local access only. Remote access is only required for remote registration of RFC servers.
Example configurations:
secinfo (control access to RFC servers started by SAP Gateway):
# allow only local calls from ABAP to RFC servers on the local application server itself:
USER=*, USER-HOST=local, HOST=local, TP=*;
reginfo (control access to and from RFC servers registered by SAP Gateway):
# allow remote registration of RFC servers (TREX, IGS, etc.)
# check logged on clients in transaction SMGW to get a specific list of registered RFC servers on your system
TP=*
Please also have a look at the documentation above.
Best regards,
Christian
09-04-2008 4:21 PM